Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

SUSE: 2018:4296-1 Important: Mailman XSS, CSRF, and Info Leak Issues

suse
Calendar Grey December 29, 2018
Dist Suse Esm H88
Mailman release patches multiple security flaws, addressing XSS, path traversal, and CSRF vulnerabilities impacting a range of SUSE offerings.
An update that fixes 5 vulnerabilities is now available

Summary

This update for mailman fixes the following security vulnerabilities: - Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user's browser via specially encoded URLs (bsc#1077358 CVE-2018-5950) - Fixed a directory traversal vulnerability in MTA transports when using the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775) - Fixed a XSS vulnerability, which allowed malicious listowners to inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618) - Fixed arbitrary text injection vulnerability in several mailman CGIs (CVE-2018-13796 bsc#1101288) - Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352) Patch Instructions:

References

#1077358 #1099510 #1101288 #925502 #995352

Cross- CVE-2015-2775 CVE-2016-6893 CVE-2018-0618

CVE-2018-13796 CVE-2018-5950

Affected Products:

SUSE OpenStack Cloud 7

SUSE Linux Enterprise Server for SAP 12-SP2

SUSE Linux Enterprise Server for SAP 12-SP1

SUSE Linux Enterprise Server 12-SP4

SUSE Linux Enterprise Server 12-SP3

SUSE Linux Enterprise Server 12-SP2-LTSS

SUSE Linux Enterprise Server 12-SP2-BCL

SUSE Linux Enterprise Server 12-SP1-LTSS

SUSE Linux Enterprise Server 12-LTSS

SUSE Enterprise Storage 4

https://www.suse.com/security/cve/CVE-2015-2775.html

https://www.suse.com/security/cve/CVE-2016-6893.html

https://www.suse.com/security/cve/CVE-2018-0618.html

https://www.suse.com/security/cve/CVE-2018-13796.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2018:4296-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here